Hi Nirmal, Please find answers inline,
On Sat, Oct 5, 2013 at 10:04 AM, Nirmal Fernando <[email protected]>wrote: > Hi Pradeep, > > Thanks for this contribution. I hope this will provide the basis for > others to build Stratos REST API. > > Few questions inline. > > On Fri, Oct 4, 2013 at 10:57 PM, Pradeep Fernando <[email protected]>wrote: > >> Hi Devs, >> >> >> I came up with implemented the above feature and the patch can be found >> at, [1] >> >> *How it works* >> >> - The web-app to Carbon runtime state exchange happens via OSGi services >> - The JAX-RS application is using Apache CXF as the REST engine >> - Authentication and Authorization of incoming requests are handled using >> two seperate JAX-RS providers registered against the service class >> - Authentication/Authorization is closely integrated to the underlying >> carbon authentication/authorizaiton framework >> - I have defined two new annotation classes to capture method level >> permission details >> * @AuthorizationAction("PermissionString") - allows the admin service >> writer to annotate a certain operation with permission string. Request get >> authorized only if the invoking user has enough permissions >> > > Where are these permissions stored? Can you explain how can someone > compile this string? > This is permission string related to carbon permission model. IIRC, this is the same string that you use inside services.xml AuthorizationAction element > > >> * @SuperTenantService (true|false) - only the super-tenant user can >> access the service >> > > false implies all the tenants including super-tenant can access this > operation right? If so, can you please consider renaming this annotation? > In the Carbon permission structure, super-tenant is special. Other way around, that is super-tenant can perform tenant operations is implicit IMHO. In that sense, when we say, @SuperTenantService(false) it means it is not a super tenant service. - > any other tenant admin service. I'm ok to change this annotation, two concerns, 1. I used the same jargon that is being used in services.xml. <SuperTenantService>. Introducing another wording for the same thing might be confusing. 2. We don't really use @SuperTenantService(false) annotation. default is false. May be we should change this to a marker annoation, - > @SuperTenantService > >> - During the deployment time, the authorization handler get injected with >> service bean. It process all the authorization related annotation and >> builds a information model. When a request comes in it verifies the >> expected permission vs bearing permission. >> >> Can you please explain how someone can plug a new authorization handler? > What classes to extend, what interfaces to implement etc.? > They just have to implement jaxrs.ReauestHandler interface and declare the bean in spring config file (cxf-servlet.xml) I did not came up with a authentication/authorization abstraction for Stratos in implementation. It is too early IMHO. Once we have atleast one other authentication/authorization module we can define the abstraction. > > > >> *Challenges/Approaches that did not work.* >> >> CXF project provides a AuthorizationFilter called >> SimpleAuthorizationFilter[2] for JAAS based request authorization. It uses >> @RolesAllowed annotation to identify authorized users. However it does not >> suit well for the Carbon authorization system. Hence I came up with my own >> Annotation types, which closely resembles, params used in existing WS admin >> services. >> >> >> *Authentication mechanism is pluggable * >> >> - Right now there is only one authenticator. It uses basic-auth to >> authenticate incoming requests. It is possible to plug in other kinds of >> authenticators. >> >> *How to write your new RESTful admin service* >> >> @POST >> @Path("/tenant/create") >> @Consumes("application/json") >> @Produces("application/json") >> @AuthorizationAction("/permission/protected/manage/monitor/tenants") >> @SuperTenantService(true) >> public String addTenant(TenantInfoBean tenantInfoBean) { >> >> return success; >> } >> >> *Sample Request from CURL* >> >> curl -X POST -H "Content-Type: application/json" -d >> '{"tenantInfo":{"admin":"admin","firstname":"Frank","lastname":"Myers","adminPassword":"admin123","email":" >> [email protected]","tenantDomain":"frank.com"}}' -v -u admin:admin >> https://localhost:9443/stratos/admin/tenant/create >> >> >> *TODO* >> * >> * >> This is more of the framework for implementing RESTful admin APIs. I have >> implemented two Operations for the moment. We have to populate the service >> bean with rest of the API. Its matter of porting existing code to new >> service bean. What is more important is, to carefully design REST endpoints. >> >> Unlike WS endpoints, we have to be careful with REST endpoint / where the >> parameter goes in endpoint / HTTP method used / etc. I will spawn a >> separate thread on the topic. >> >> I have applied the patches to the JIRA. Would be great if the code can be >> committed to the main trunk. :) >> >> >> [1] https://issues.apache.org/jira/browse/STRATOS-90 >> [2] http://cxf.apache.org/docs/secure-jax-rs-services.html >> >> thanks, >> --Pradeep >> > > > > -- > Best Regards, > Nirmal > > C.S.Nirmal J. Fernando > Senior Software Engineer, > WSO2 Inc. > > Blog: http://nirmalfdo.blogspot.com/ > thanks, --Pradeep
